I just use the security questions as another password, like my favorite color is JyQ|l[Duc-I6KrU-0k and I went to elementary school at ?YfBW+Yurh@m$lml":.
I do this. I told the CS rep that my password hint was "just random characters mashed on the keyboard" and she accepted this and moved on. I'm not sure what to think of the security implications.
Worse, if reps can see the answer, then this is equivalent to not hashing the passwords at all since you have a password-equivalent stored in plaintext.
>> they were annoyed about people being able to see part of their SSN
Part of? I worked for AT&T back when they merged with Cingular. We only asked for the last 4 over the phone, but the entire 9-digit SSN was shown in the app. Every single low-level employee had (has?) the entire SSN in front of them. Never dared tell a customer that little fact when they made a fuss over my having access to their last 4.
That's what you get when the reps can see the answers. The only working solution is to have the reps "log in" to the users account by entering the security question answer.
If the reps can see the answer, it's far too easy for the attacker to turn the verification process into a game of twenty questions.
I've had this before with my bank, when I've had to authorise a large card payment (for a car). I was asked various security questions about monthly recurring payments from my account (in the UK, so standing orders and direct debits), but I've so many I can't keep up, and I change savings accounts and health, car, home, pet insurer every year to get a good deal.
The rep on the phone kept prompting me when I was unsure. She'd mention an amount, then when I was unsure they'd say something like, "maybe it's for your mortgage...? Maybe the company begins with the letter 'N'?"
It was all a bit silly, security theater at its finest.
I had the opposite recently. Trying to log into my alma mater's website to get a copy of transcripts, but my account had long ago locked out. They asked me questions over the phone to reset it, but I couldn't answer any of them.
"What is your phone number on file?" Shoot, I don't know, it was an old number that I changed maybe 6 years ago...
"What is your address on file?" I've moved maybe five times since then? I tried "was it in another state?" to narrow it down, but the answer was "I can't say that".
"Okay, we can verify you by classes you took..." Great, now we're getting somewhere! I took Intro to Ethics. "We need to know what term." Okay, this is tricky, it was like 10 years ago... Fall of 2006? "We need to know professor's name." Um. I think I have the book here, I know he wrote it... Professor McLaughlin? "I also need to know the day of the week the class was held and what time the class was."
Are you effing kidding me? I wish I was joking. I ended up just calling my old advisor and he "verified" me with an email to the helpdesk.
I was literally just about to post this. I refuse to make my password less secure though - and security questions really are just "alternate passwords".
I've never had a problem but I have had a few reps who are trying to not act really surprised. I've had one instance of someone trying to stifle laughter (of the "You can't be serious") kind. Taking security seriously is a rare thing. :(
They usually stop me after the 8th or so character. I'd be concerned but if any potential social engineer has the first 8 characters they likely have the full string anyways so stopping early makes both our jobs easier.
On several social engineering calls I've had reps who were happy with just "it's just a bunch of random characters, would be a little silly if I tried to read it out"
Perhaps I should say that my first pet's name was "mellower retry audited grieves" rather than "esrhciaiyzhkj". (Both are random, and both have very close to the same information content given the dictionary I used.)
